Skip to content

zerocracy.yml declares actions: write permission but never uses it #1697

Description

@sdghsdkjlas27-dotcom

DESCRIPTION:
zerocracy.yml declares top-level contents: write AND actions: write. The actions: write scope allows the workflow to create/update/delete GitHub Actions secrets, workflows, and caches - never actually required by any step in this workflow. Violates principle of least privilege.

REPRODUCTION:

  1. Inspect each step; none uses Actions API with write.

IMPACT:
Excessive privilege; combined with PAT access to all org repos = ability to alter workflow files of any org repo.

RELATED FILES:
.github/workflows/zerocracy.yml

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions